07/12/2012

Lawyer Use of Cloud Services Versus Email - An Ethical Distinction Without a Practical Difference

by ZixCorp

In earlier Legal Industry Series posts, we've examined the evolving ethics rules concerning lawyers' duty to protect the confidentiality of client information transmitted via the internet or stored in the "Cloud." In August 2012, the American Bar Association delegates will consider amendments to Model Rule 1.6 that would clarify the lawyers' responsibilities to take reasonable steps to protect electronic information related to the representation of a client. In the meantime, let's examine recent guidance from the Massachusetts Bar Association.

Massachusetts Bar Association Opinion 12-03
On May 17, 2012, the Committee on Professional Ethics of the Massachusetts Bar Association addressed in Opinion 12-03 whether lawyers in that state are, consistent with ethics rules, entitled to store and synchronize electronic work files containing confidential client information using an Internet-based storage solution. The opinion notes that Rule 1.6(a) of the Massachusetts Rules of Professional Conduct imposes upon lawyers the obligation to avoid using means of communication with the client that pose an unreasonable risk of inadvertent disclosure to third persons.

Opinion 12-03 concludes that Massachusetts lawyers are permitted to use Cloud document storage and transmission solutions on the condition that they undertake reasonable efforts to ensure that the solution provider's terms of use and data privacy policies, practices and procedures are compatible with the lawyer's professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a). The opinion compares this conclusion to earlier guidance provided by the Committee on Professional Ethics about lawyers using email and remote technical support. [Thanks to the Boston College Legal Eagle for bringing this opinion to my attention.]

Cloud Service Terms and Policies
Opinion 12-03 says that "reasonable efforts" with respect to a Cloud document storage and transmission provider would include:

•examining terms of use and written policies and procedures about data privacy and the handling of confidential information;
•ensuring terms of use and written policies and procedures prohibit unauthorized access to data;
•ensuring terms of use and written policies and procedures, as well as its functional capabilities, give reasonable access to, and control over, the data stored on the provider's system;
•examining practices and service history to reasonably ensure that data stored actually will remain confidential; and
•periodically revisiting and reexamining those policies, practices and procedures.

The opinion does not say this is an exclusive list of steps that a lawyer must take to meet a reasonable efforts standard. It merely says that reasonable efforts “would include” those items. There may, therefore, be additional steps that are reasonable for an attorney to take to protect client confidential information.

Client-Selected Services
It is unclear whether similar diligence efforts are required when the lawyer’s client chooses, and directs the lawyer to use, a particular internet solution (which might be an e-room, board portal, document transfer service or email provider). The opinion does not state that the attorney can simply rely on the client’s choice of service provider. Although it might be reasonable for an attorney to rely on Cloud service provider choices by a knowledgeable, technologically-sophisticated client, not all clients fit that definition. It’s unlikely that an individual client who is using a free webmail service has conducted the diligence steps described in Opinion 12-03.

The diligence approach becomes far more difficult if it is applied to multiple Cloud solutions. It is impractical to expect the lawyer to know, and reconfirm on a periodic basis, the terms, policies, practices and procedures of multiple Cloud services providers used by various clients. In particular, it assumes that the lawyer has the ability to know the terms of use and data privacy policies, practices and procedures of all email solution providers that are relevant to the transmission and storage of confidential client information. This might even include knowing what policies apply to servers operated by third parties along the chain of transmission – not merely the servers operated by the client’s email provider – because the email could be captured and stored on those intermediate servers.

Your Mother’s Cloud, But Not Her Email
The Cloud is not new. “Cloud” services are simply a new way of describing third party services accessed remotely via an Internet connection. There have been Cloud services since the 1980s, including email. In fact, when analyzing Cloud services in Opinion 12-03, the Committee on Professional Ethics cites Massachusetts Bar Association's Opinion 00-1 (1998), which addressed a lawyer's use of unencrypted email to engage in confidential communications with a client. What has changed is how people utilize Cloud services.

In 1998, the Nora Ephron film "You’ve Got Mail" depicted then-novel use of AOL email. Back in those days, email was used mostly for text messages. Users generally did not attach large documents to email. At the time of that 1998 opinion, email typically was stored by the service provider only until it was delivered to the recipient. Users generally did not remotely store vast amounts of email and attachments for extended periods. Today, however, lawyers and clients commonly transmit confidential documents via email. Users often use their Cloud email host for file storage. They store emails, including attachments, for extended periods – even years.

In 1998, email hosts did not inspect in detail the content of emails and attachments. Today, web email services like Google and Yahoo! scan email content and attachments (called deep packet inspection) to look for spam and viruses. They also scan it in order to display advertising that is customized for the recipient based on the content of the emails. The New York State Bar Association said in Opinion 820 (2008) that automated deep packet inspection of confidential attorney-client email to generate advertising is ethically permissible. Nevertheless, lawyers should consider how their clients would react to receiving targeted advertising that is prompted by the content of supposedly-confidential attorney emails.

The ways that clients and lawyers use email and the Cloud has evolved since 1998. More recently, lawyers have begun to use types of Cloud services to enable file synchronization, sharing and storage. Nonetheless, electronic document transmission and storage is not a newly-mutated species of Cloud services entirely different from Cloud email.

When is a Cloud Service Not a Cloud Service?
The 1998 Opinion 00-1 concludes that a lawyer's use of unencrypted Internet e-mail to engage in confidential communications with a client does not "in usual circumstances" or "in most instances" violate ethics obligations of confidentiality. Opinion 00-1 does not grant lawyers blanket permission to always use unencrypted email. Some Massachusetts lawyers mistakenly think they are free to use unencrypted email regardless of the circumstances. Unfortunately, Opinion 12-03 perpetuates this misinterpretation about lawyers’ ethical ability to use unsecured email.

The new opinion distinguishes Cloud file storage and transfer services from Cloud email services; imposing restrictions on lawyers’ use of Cloud file storage and transfer services that are not applied to Cloud email services. Massachusetts is not the only state to create a distinction between Cloud email and other types of Cloud services. I recommend reviewing “Cloud Ethics Opinions Around the U.S,” which provides an interesting chart of ethics rules about Cloud services with a linked map of the U.S. [Thanks to Toby Brown (@gnawledge) for tweeting such a helpful resource.] The chart shows that in several states lawyers are required to use "reasonable care" in selecting and using Cloud services. The chart does not, however, contrast the lower standard now applicable in those same states to the use of Cloud email. The state bar associations that have addressed lawyers use of email do not impose any similar "reasonable care" standard but say lawyers are entitled to rely on an expectation of privacy in email.

There is no logical basis for this ethics rules distinction. It makes no sense to differentiate the transmission and storage of documents using Cloud email services versus the transmission and storage of documents using other types of Cloud services. The key functions of Cloud document transmission and storage solutions are essentially the same as transmitting and storing documents via Cloud email. From an ethics perspective, it should not matter whether the server on which a confidential document is stored belongs to a document storage provider (such as Dropbox) or a webmail provider (such as Yahoo!).

With this foundation in place, tune in next week for part two of this blog series as I explore reasonable steps, encryption, the client’s role and other measures to consider in light of the Massachusetts Bar Association Opinion 12-03.